variable "local_subnet" {
  type        = string
  nullable    = false
  description = <<EOT
  {
    "Description": {
      "en": "The local network segment refers to the network segment on the VPC side that needs to be interconnected with the client network segment. Use half-width commas (,) to separate multiple network segments, for example: 192.168.1.0/24,192.168.2.0/24.",
      "zh-cn": "本端网段，指需要和客户端网段互连的VPC侧的网段。"
    },
    "Label": {
      "en": "LocalSubnet",
      "zh-cn": "本端网段"
    }
  }
  EOT
}

variable "effect_immediately" {
  type        = bool
  description = <<EOT
  {
    "Description": {
      "en": "true: Apply the new configuration and trigger a reconnection immediately. \nfalse: Trigger a reconnection only when network traffic occurs. (The reconnection may cause the network to be unavailable for a brief moment)"
    },
    "Label": {
      "en": "EffectImmediately",
      "zh-cn": "是否删除当前已协商成功的IPsec隧道并重新发起协商"
    }
  }
  EOT
}

variable "client_ip_pool" {
  type        = string
  nullable    = false
  description = <<EOT
  {
    "Description": {
      "en": "Client network segment refers to the address segment that assigns access addresses to the virtual network card of the client. Note: The client network segment cannot conflict with the VPC side network segment.",
      "zh-cn": "客户端网段，为客户端虚拟网卡分配访问地址的地址段，不是指客户端已有的内网网段。"
    },
    "Label": {
      "en": "ClientIpPool",
      "zh-cn": "客户端网段"
    }
  }
  EOT
}

variable "vpn_gateway_id" {
  type        = string
  nullable    = false
  description = <<EOT
  {
    "Description": {
      "en": "VPN gateway instance ID."
    },
    "Label": {
      "en": "VpnGatewayId",
      "zh-cn": "VPN网关ID"
    }
  }
  EOT
}

variable "ipsec_config" {
  type        = any
  description = <<EOT
  {
    "AssociationPropertyMetadata": {
      "Parameters": {
        "IpsecPfs": {
          "Type": "String",
          "Description": {
            "en": "The Diffie-Hellman key exchange algorithm used in the second phase of negotiation. Default value: group2."
          },
          "Required": false
        },
        "IpsecEncAlg": {
          "Type": "String",
          "Description": {
            "en": "Encryption algorithm negotiated in the second stage. Default value: aes."
          },
          "Required": false
        },
        "IpsecAuthAlg": {
          "Type": "String",
          "Description": {
            "en": "The authentication algorithm negotiated in the second phase. Default value: sha1."
          },
          "Required": false
        },
        "IpsecLifetime": {
          "Type": "Number",
          "Description": {
            "en": "The lifetime of the SA negotiated in the second stage. Default value: 86400, in seconds."
          },
          "Required": false
        }
      }
    },
    "Description": {
      "en": "Negotiation parameter configuration in the second phase."
    },
    "Label": {
      "en": "IpsecConfig",
      "zh-cn": "第二阶段协商的配置信息"
    }
  }
  EOT
}

variable "psk" {
  type        = string
  description = <<EOT
  {
    "Description": {
      "en": "Pre-Shared key. Used for identity authentication between the VPN gateway and the client. A 16-bit random string is randomly generated by default, or you can manually specify the key. The length is limited to 100 characters."
    },
    "Label": {
      "en": "Psk",
      "zh-cn": "预共享密钥认证方式"
    }
  }
  EOT
}

variable "ike_config" {
  type        = any
  description = <<EOT
  {
    "AssociationPropertyMetadata": {
      "Parameters": {
        "IkeAuthAlg": {
          "Type": "String",
          "Description": {
            "en": "The authentication algorithm negotiated in the first phase. Default value: sha1."
          },
          "Required": false
        },
        "LocalId": {
          "Type": "String",
          "Description": {
            "en": "IPsec server ID. Support FQDN and IP address format, the default value is the VPN gateway public network IP address."
          },
          "Required": false
        },
        "IkeEncAlg": {
          "Type": "String",
          "Description": {
            "en": "Encryption algorithm negotiated in the first stage. Default value: aes."
          },
          "Required": false
        },
        "IkeVersion": {
          "Type": "String",
          "Description": {
            "en": "The version of the IKE protocol. Value: ikev1 or ikev2, default value: ikev2."
          },
          "Required": false
        },
        "IkeMode": {
          "Type": "String",
          "Description": {
            "en": "Negotiation mode of the IKE version. Default value: main."
          },
          "Required": false
        },
        "IkeLifetime": {
          "Type": "Number",
          "Description": {
            "en": "The life cycle of the SA negotiated in the first phase. Default value: 86400, in seconds."
          },
          "Required": false
        },
        "RemoteId": {
          "Type": "String",
          "Description": {
            "en": "Peer ID. Support FQDN and IP address format, the default value is empty."
          },
          "Required": false
        },
        "IkePfs": {
          "Type": "String",
          "Description": {
            "en": "The Diffie-Hellman key exchange algorithm used in the first stage of negotiation. Default value: group2."
          },
          "Required": false
        }
      }
    },
    "Description": {
      "en": "Negotiation parameter configuration in the first phase."
    },
    "Label": {
      "en": "IkeConfig",
      "zh-cn": "第一阶段协商的配置信息"
    }
  }
  EOT
}

variable "ipsec_server_name" {
  type        = string
  description = <<EOT
  {
    "Description": {
      "en": "The value must be 2 to 128 characters in length and start with a letter or Chinese character. It can contain digits, underscores (_), and hyphens (-)."
    },
    "Label": {
      "en": "IpsecServerName",
      "zh-cn": "IPsec连接的名称"
    }
  }
  EOT
}

variable "psk_enabled" {
  type        = bool
  description = <<EOT
  {
    "Description": {
      "en": "Whether to enable the pre-shared key authentication method. Only the value is true, which means that the pre-shared key authentication mode is enabled."
    },
    "Label": {
      "en": "PskEnabled",
      "zh-cn": "是否开启预共享密钥认证方式"
    }
  }
  EOT
}

resource "alicloud_vpn_ipsec_server" "ipsec_server" {
  local_subnet       = var.local_subnet
  effect_immediately = var.effect_immediately
  client_ip_pool     = var.client_ip_pool
  vpn_gateway_id     = var.vpn_gateway_id
  ipsec_config       = var.ipsec_config
  psk                = var.psk
  ike_config         = var.ike_config
  ipsec_server_name  = var.ipsec_server_name
  psk_enabled        = var.psk_enabled
}

output "ipsec_server_id" {
  value       = alicloud_vpn_ipsec_server.ipsec_server.id
  description = "IPsec server ID."
}

output "ipsec_server_name" {
  value       = alicloud_vpn_ipsec_server.ipsec_server.ipsec_server_name
  description = "IPsec server name."
}

